Overview

overview

10

Static

static

3

03fa00884c...d8.dll

windows7-x64

10

03fa00884c...d8.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 19:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    03fa00884cf73c17010e554ad52bc98e56e57b176a11e524bd98a8af6fb8c9d8.dll

  • Size

    796KB

  • MD5

    2f586014e2b096df6dfdd8015e326a3d

  • SHA1

    6b37190de9e2cf9f5be9c54c49550799fc1d2651

  • SHA256

    03fa00884cf73c17010e554ad52bc98e56e57b176a11e524bd98a8af6fb8c9d8

  • SHA512

    5131ddf71a528ae982426f660776c742db9b85a9c955c496425b1d86fc12f3886563f9f537f3bc2ad02448772f288a2ed37d46ac68f4af9ed092de78c069c3ad

  • SSDEEP

    12288:RBHgxzPkHLCZmx0Kvf27MV5SlZvuAYr42Xq0:RB8sHwEf27Mn5br42Xd

Score
10/10
dridexbotnetevasionpayloadpersistencetrojan

Malware Config

Signatures

  • Dridex

    Dridex(known as Bugat/Cridex) is a form of malware that specializes in stealing bank credentials.

    botnetdridex
  • Dridex family
    dridex
  • Dridex Shellcode 1 IoCs

    Detects Dridex Payload shellcode injected in Explorer process.

    botnetpayload
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    evasiontrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\03fa00884cf73c17010e554ad52bc98e56e57b176a11e524bd98a8af6fb8c9d8.dll,#1
    1⤵
    • Checks whether UAC is enabled
    • Suspicious behavior: EnumeratesProcesses
    PID:2340
  • C:\Windows\system32\VaultSysUi.exe
    C:\Windows\system32\VaultSysUi.exe
    1⤵
      PID:1648
    • C:\Users\Admin\AppData\Local\rWp6E\VaultSysUi.exe
      C:\Users\Admin\AppData\Local\rWp6E\VaultSysUi.exe
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Checks whether UAC is enabled
      PID:2564
    • C:\Windows\system32\FXSCOVER.exe
      C:\Windows\system32\FXSCOVER.exe
      1⤵
        PID:836
      • C:\Users\Admin\AppData\Local\Uhz9l\FXSCOVER.exe
        C:\Users\Admin\AppData\Local\Uhz9l\FXSCOVER.exe
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        PID:2084
      • C:\Windows\system32\DWWIN.EXE
        C:\Windows\system32\DWWIN.EXE
        1⤵
          PID:1808
        • C:\Users\Admin\AppData\Local\ImKMOAGf\DWWIN.EXE
          C:\Users\Admin\AppData\Local\ImKMOAGf\DWWIN.EXE
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          PID:1984

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\ImKMOAGf\VERSION.dll
          Filesize

          796KB

          MD5

          89ffeffee659f9f808bdb61ffca5d361

          SHA1

          1fc3331fb77eb220249967fe02179a252d448a01

          SHA256

          85e9db8e896bd068b1891ad48bf5db201624674760e4b9b6d46c51601bea4e4d

          SHA512

          0e772db03046edf72f4781168cda6a54720ebb89c354308f7e23b3d5cc352d838773d78d26c6cfb33839c16bb9a4494d6c12ef21d2721f54a761dd970b3e5f13

          Download Submit

        • C:\Users\Admin\AppData\Local\Uhz9l\MFC42u.dll
          Filesize

          824KB

          MD5

          92fd84e80634bf2bebe540f52348120f

          SHA1

          c1a288d0fc13a02acafe8a82733b8ac971ef7788

          SHA256

          1abf509d16a8f48ac7d4abeeae4caba6034ad8f90b2d214cfc3d6e3dc6a22323

          SHA512

          f8affad6a18ea20c3ef9239b344483f836cae3f885268073da0165f8b78d77f219e65b6490e9e39c46beb9983538c7f9d65a73bb1bc918f2b814c962b1930487

          Download Submit

        • C:\Users\Admin\AppData\Local\rWp6E\credui.dll
          Filesize

          800KB

          MD5

          2dd91a322d478a94b63701b78d4bb8f4

          SHA1

          f22e69ea84cd9983c8397da6e6b2bee82bf094c6

          SHA256

          0ad534dfa2534036d50963cd0b4c09e3e247cba6ca7edcf404075ab2f1cba60d

          SHA512

          2441086b6f980259fface79cf170ff42b80a4e0816963e035274f695ebb12245026022f4faf7a6f412849a667e24d392af1ed4ae50900f14146e98a2438e12cc

          Download Submit

        • C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\STARTM~1\Programs\Startup\Kkwpdvbxvgx.lnk
          Filesize

          1KB

          MD5

          cd31dc8d990dd66697da361852611149

          SHA1

          169d443cda81b520b0b151a4d8602e0c72b61da6

          SHA256

          383abc957bcbcc3975843088af1a03de9890c1aade58cb1b50f03eadb92ab017

          SHA512

          a154895a8fff4619eecded8a1b75ede7c3c1f5d9b95452d1ef7861cbdb0a6635a01093cc8bd1e4f1df41f29f88b06e28652a512146b5a119e1059b0aa0f22b8f

          Download Submit

        • \Users\Admin\AppData\Local\ImKMOAGf\DWWIN.EXE
          Filesize

          149KB

          MD5

          25247e3c4e7a7a73baeea6c0008952b1

          SHA1

          8087adb7a71a696139ddc5c5abc1a84f817ab688

          SHA256

          c740497a7e58f7678e25b68b03573b4136a364464ee97c02ce5e0fe00cec7050

          SHA512

          bc27946894e7775f772ac882740430c8b9d3f37a573e2524207f7bb32f44d4a227cb1e9a555e118d68af7f1e129abd2ac5cabbcd8bbf3551c485bae05108324b

          Download Submit

        • \Users\Admin\AppData\Local\Uhz9l\FXSCOVER.exe
          Filesize

          261KB

          MD5

          5e2c61be8e093dbfe7fc37585be42869

          SHA1

          ed46cda4ece3ef187b0cf29ca843a6c6735af6c0

          SHA256

          3d1719c1caa5d6b0358830a30713c43a9710fbf7bcedca20815be54d24aa9121

          SHA512

          90bf180c8f6e3d0286a19fcd4727f23925a39c90113db979e1b4bbf8f0491471ad26c877a6e2cf49638b14050d952a9ee02a3c1293129843ec6bba01bc325d0b

          Download Submit

        • \Users\Admin\AppData\Local\rWp6E\VaultSysUi.exe
          Filesize

          39KB

          MD5

          f40ef105d94350d36c799ee23f7fec0f

          SHA1

          ee3a5cfe8b807e1c1718a27eb97fa134360816e3

          SHA256

          eeb3f79be414b81f4eb8167390641787f14a033414533fb8de651c2247d054b2

          SHA512

          f16bcca6f6cecbdae117d5a41de7e86a6d9dfdfa2ce8c75ebff10d097083c106e7f9d030debed8cb20fdd71815a8aa7723a1d3c68b38ec382e55370331c594a1

          Download Submit

        • memory/1196-38-0x0000000140000000-0x00000001400C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/1196-4-0x0000000076B36000-0x0000000076B37000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-12-0x0000000140000000-0x00000001400C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/1196-10-0x0000000140000000-0x00000001400C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/1196-107-0x0000000076B36000-0x0000000076B37000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-9-0x0000000140000000-0x00000001400C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/1196-21-0x0000000002990000-0x0000000002997000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1196-23-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1196-32-0x0000000140000000-0x00000001400C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/1196-5-0x0000000002E70000-0x0000000002E71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-22-0x0000000076D41000-0x0000000076D42000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1196-20-0x0000000140000000-0x00000001400C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/1196-8-0x0000000140000000-0x00000001400C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/1196-13-0x0000000140000000-0x00000001400C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/1196-7-0x0000000140000000-0x00000001400C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/1984-89-0x0000000000290000-0x0000000000297000-memory.dmp

          Filesize

          28KB

          Download

        • memory/1984-95-0x0000000140000000-0x00000001400C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/2084-76-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2084-77-0x0000000140000000-0x00000001400CE000-memory.dmp

          Filesize

          824KB

          Download

        • memory/2084-71-0x0000000140000000-0x00000001400CE000-memory.dmp

          Filesize

          824KB

          Download

        • memory/2340-0-0x00000000001A0000-0x00000000001A7000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2340-11-0x0000000140000000-0x00000001400C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/2340-1-0x0000000140000000-0x00000001400C7000-memory.dmp

          Filesize

          796KB

          Download

        • memory/2564-56-0x0000000000270000-0x0000000000277000-memory.dmp

          Filesize

          28KB

          Download

        • memory/2564-59-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download

        • memory/2564-53-0x0000000140000000-0x00000001400C8000-memory.dmp

          Filesize

          800KB

          Download